Accept password parameter as CharArray for improved security

rfc2822 · rfc2822 · commit 05fb8ecda6fd · 2025-05-22T18:39:28.000+02:00
- contents of CharArray can't be printed by accidental toString() (for instance in logs)
- CharArray allows clearing the memory beven before GC runs (however dav4jvm and okhttp generates Strings with the password, so that will be of limited use yet)
diff --git a/src/main/kotlin/at/bitfire/dav4jvm/BasicDigestAuthHandler.kt b/src/main/kotlin/at/bitfire/dav4jvm/BasicDigestAuthHandler.kt
@@ -42,7 +42,7 @@ class BasicDigestAuthHandler(
     val domain: String?,
 
     val username: String,
-    val password: String,
+    val password: CharArray,
 
     val insecurePreemptive: Boolean = false
 ): Authenticator, Interceptor {
@@ -135,7 +135,7 @@ class BasicDigestAuthHandler(
                  So, UTF-8 encoding for credentials is compatible with all RFC 7617 servers and many,
                  but not all pre-RFC 7617 servers. */
                 return request.newBuilder()
-                        .header(HEADER_AUTHORIZATION, Credentials.basic(username, password, Charsets.UTF_8))
+                        .header(HEADER_AUTHORIZATION, Credentials.basic(username, password.concatToString(), Charsets.UTF_8))
                         .build()
             }
 
@@ -194,9 +194,9 @@ class BasicDigestAuthHandler(
 
             val a1: String? = when (algorithm) {
                 Algorithm.MD5 ->
-                    "$username:$realm:$password"
+                    "$username:$realm:${password.concatToString()}"
                 Algorithm.MD5_SESSION ->
-                    h("$username:$realm:$password") + ":$nonce:$clientNonce"
+                    h("$username:$realm:${password.concatToString()}") + ":$nonce:$clientNonce"
                 else ->
                     null
             }
@@ -225,7 +225,7 @@ class BasicDigestAuthHandler(
 
             // legacy (backwards compatibility with RFC 2069)
             if (algorithm == Algorithm.MD5) {
-                val a1 = "$username:$realm:$password"
+                val a1 = "$username:$realm:${password.concatToString()}"
                 val a2 = "$method:$digestURI"
                 response = kd(h(a1), nonce + ":" + h(a2))
             }
diff --git a/src/test/kotlin/at/bitfire/dav4jvm/BasicDigestAuthHandlerTest.kt b/src/test/kotlin/at/bitfire/dav4jvm/BasicDigestAuthHandlerTest.kt
@@ -27,7 +27,7 @@ class BasicDigestAuthHandlerTest {
 
     @Test
     fun testBasic() {
-        var authenticator = BasicDigestAuthHandler(null, "user", "password")
+        var authenticator = BasicDigestAuthHandler(null, "user", "password".toCharArray())
         val original = Request.Builder()
                         .url("http://example.com")
                         .build()
@@ -41,7 +41,7 @@ class BasicDigestAuthHandlerTest {
         assertEquals("Basic dXNlcjpwYXNzd29yZA==", request!!.header("Authorization"))
 
         // special characters: always use UTF-8 (and don't crash on RFC 7617 charset header)
-        authenticator = BasicDigestAuthHandler(null, "username", "paßword")
+        authenticator = BasicDigestAuthHandler(null, "username", "paßword".toCharArray())
         response = response.newBuilder()
                 .header("WWW-Authenticate", "Basic realm=\"WallyWorld\",charset=UTF-8")
                 .build()
@@ -52,7 +52,7 @@ class BasicDigestAuthHandlerTest {
     @Test
     fun testDigestRFCExample() {
         // use cnonce from example
-        val authenticator = BasicDigestAuthHandler(null, "Mufasa", "Circle Of Life")
+        val authenticator = BasicDigestAuthHandler(null, "Mufasa", "Circle Of Life".toCharArray())
         BasicDigestAuthHandler.clientNonce = "0a4f113b"
         BasicDigestAuthHandler.nonceCount.set(1)
 
@@ -83,7 +83,7 @@ class BasicDigestAuthHandlerTest {
 
     @Test
     fun testDigestRealWorldExamples() {
-        var authenticator = BasicDigestAuthHandler(null, "demo", "demo")
+        var authenticator = BasicDigestAuthHandler(null, "demo", "demo".toCharArray())
         BasicDigestAuthHandler.clientNonce = "MDI0ZDgxYTNmZDk4MTA1ODM0NDNjNmJjNDllYjQ1ZTI="
         BasicDigestAuthHandler.nonceCount.set(1)
 
@@ -112,7 +112,7 @@ class BasicDigestAuthHandlerTest {
         assertTrue(auth.contains("opaque=\"df58bdff8cf60599c939187d0b5c54de\""))
 
         // example 2
-        authenticator = BasicDigestAuthHandler(null, "test", "test")
+        authenticator = BasicDigestAuthHandler(null, "test", "test".toCharArray())
         authScheme = Challenge("digest", mapOf(    // lower case
                 Pair("nonce", "87c4c2aceed9abf30dd68c71"),
                 Pair("algorithm", "md5"),
@@ -139,7 +139,7 @@ class BasicDigestAuthHandlerTest {
 
     @Test
     fun testDigestMD5Sess() {
-        val authenticator = BasicDigestAuthHandler(null, "admin", "12345")
+        val authenticator = BasicDigestAuthHandler(null, "admin", "12345".toCharArray())
         BasicDigestAuthHandler.clientNonce = "hxk1lu63b6c7vhk"
         BasicDigestAuthHandler.nonceCount.set(1)
 
@@ -178,7 +178,7 @@ class BasicDigestAuthHandlerTest {
 
     @Test
     fun testDigestMD5AuthInt() {
-        val authenticator = BasicDigestAuthHandler(null, "admin", "12435")
+        val authenticator = BasicDigestAuthHandler(null, "admin", "12435".toCharArray())
         BasicDigestAuthHandler.clientNonce = "hxk1lu63b6c7vhk"
         BasicDigestAuthHandler.nonceCount.set(1)
 
@@ -217,7 +217,7 @@ class BasicDigestAuthHandlerTest {
 
     @Test
     fun testDigestLegacy() {
-        val authenticator = BasicDigestAuthHandler(null, "Mufasa", "CircleOfLife")
+        val authenticator = BasicDigestAuthHandler(null, "Mufasa", "CircleOfLife".toCharArray())
 
         // construct WWW-Authenticate
         val authScheme = Challenge("Digest", mapOf(
@@ -245,7 +245,7 @@ class BasicDigestAuthHandlerTest {
 
     @Test
     fun testIncompleteAuthenticationRequests() {
-        val authenticator = BasicDigestAuthHandler(null, "demo", "demo")
+        val authenticator = BasicDigestAuthHandler(null, "demo", "demo".toCharArray())
 
         val original = Request.Builder()
                 .get()
@@ -272,7 +272,7 @@ class BasicDigestAuthHandlerTest {
 
     @Test
     fun testAuthenticateNull() {
-        val authenticator = BasicDigestAuthHandler(null, "demo", "demo")
+        val authenticator = BasicDigestAuthHandler(null, "demo", "demo".toCharArray())
         // must not crash (route may be null)
         val request = Request.Builder()
                 .get()
